In a surprising turn of events, Nothing Chats, the iMessage clone recently introduced by technology company Nothing, has been abruptly pulled from the Google Play Store. While the official explanation cites “several bugs” as the cause, emerging evidence suggests that severe security concerns may be at the heart of the removal.
Nothing took to Twitter to announce the withdrawal, stating, “We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.”
However, a thorough technical analysis conducted by Rida F’kih from Texts.com and Twitter users @batuhan and @1ConanEdogowa has uncovered a more troubling narrative. It appears that Nothing’s service provider, Sunbird, may have misled users about the end-to-end encrypted nature of messages passing through its servers.
To use Nothing Chats, users were required to sign in with their Apple ID on Sunbird servers, operating on a Mac mini running a virtual machine. While Sunbird claimed that the messages sent to its servers were encrypted, the analysis revealed that the JSON Web Tokens (JWT) generated by the service were sent unencrypted to another Sunbird server without SSL protection. This left them susceptible to interception by potential attackers.
What’s more concerning is that these messages were decrypted and stored on Sunbird servers, providing attackers with a window of opportunity to access them before the intended recipients. Texts.com demonstrated this vulnerability by intercepting JWTs, gaining access to the Firebase real-time database, and downloading user information and conversations with just 23 lines of code.
While the privacy issue seems to be directly tied to Sunbird, Nothing’s association with the service provider implicates the company in the matter. Describing these critical security issues as mere “bugs” appears to be a downplaying of the severity of the situation.
The future of Nothing Chats remains uncertain as the company works to address these security concerns. In the meantime, users are advised to exercise caution when using third-party services, especially those requiring sensitive credentials. This development comes at a time when Apple has announced RCS support, potentially making alternatives less appealing.
Tech Mansion will continue to monitor this situation and provide updates as it unfolds.